Cowin: Cowin website is completely safe, says health ministry; IT minister tweets in support – Times of India

The health ministry has denied reports of data breach of Cowin website that has appeared on some social media platforms. These reports allege breach of data from the Cowin portal of the union health ministry, which is a repository of all data of beneficiaries who have been vaccinated against Covid19. Cowin was developed and is owned and managed by the ministry of health and family welfare.Certain posts on the social media platform Twitter claimed that using a Telegram (online messenger application) Bot, the personal data of individuals who have been vaccinated can be accessed. It is reported that the Bot has been able to pull individual data by simply passing the mobile number or Aadhaar number of a beneficiary.
The ministry clarified that all such reports are without any basis and mischievous in nature. Cowin portal of the health ministry is completely safe with adequate safeguards for data privacy. Furthermore, security measures are in place on the Cowin portal, with web application firewall, anti-DDoS, SSL/TLS, regular vulnerability assessment, identity & access management etc. Only OTP authentication-based access of data is provided. It further said that all steps have been taken and are being taken to ensure security of the data in the Cowin portal.
IT minister Rajeev Chandrasekhar too denied the suspected data hack. In a tweet, pointed out 4 things to support his statement. “With ref to some Alleged Cowin data breaches reported on social media, @IndianCERT has immdtly responded n reviewed this
✅A Telegram Bot was throwing up Cowin app details upon entry of phone numbers
✅The data being accessed by bot from a threat actor database, which seems to hv been populated wth previously stolen data stolen in the past.
✅It does not appear that Cowin app or database has been directly breached
✅National Data Governance policy has been finalized that will create a common framework of Data storage, Access and Security standards across all of govt.”
Presently, Cowin data access is available at three levels:
* Beneficiary dashboard: The person who has been vaccinated can have an access to the Cowin data through use of registered mobile number with OTP authentication.
* Cowin authorized user: The vaccinator with use of authentic login credential provided can access personal level data of vaccinated beneficiaries. But the Cowin system tracks and keeps record of each time an authorised user accesses the Cowin system.
* API-based access: The third party applications who have been provided authorised access of Co-WIN APIs can access personal level data of vaccinated beneficiaries only through beneficiary OTP authentication.

Health ministry asks CERT-In to review security
The Union Health Ministry has requested India’s nodal cybersecurity agency — Computer Emergency Response Team (CERT-In) — to look into the alleged security breach and submit a report. In addition, an internal exercise has been initiated to review the existing security measures of Cowin. CERT-In in its initial report has pointed out that the backend database for Telegram bot was not directly accessing the APIs of the CoWIN database.